Skip to content

provider/google: Improved SSL certs handling on target_https_proxy #14264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

provider/google: Improved SSL certs handling on target_https_proxy #14264

wants to merge 3 commits into from

Conversation

tmshn
Copy link
Contributor

@tmshn tmshn commented May 6, 2017

Problem

As reported in #9672, passing a partial URL of SSL cert (e.g.: projects/foo/global/sslCertificates/bar) to target_https_proxy will not be idempotent; the passed URL will not be recorded in state file and Terraform will try to add the same certs on next apply even though it's actually already set in the real resource.

Solution

This PR fixes this problem by converting partial URL to full URL every time before SSL certs comparison and API call.

tmshn added 2 commits May 6, 2017 13:57
provider/google: Added parseUrl function to extract resource informat…
16d22dc 
…ion from Google Compute API URL.
provider/google: Improved SSL certs handling on target_https_proxy
da23068 
Now partial URLs of SSL certs also have first-class support in a same way as full URLs.
tmshn
tmshn commented May 6, 2017
View reviewed changes
builtin/providers/google/provider.go Outdated
url string
}

func parseUrl(url string) (resourceInfo, error) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is kinda over-spec only for this purpose, but hope it will be useful on later usage.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So after discussing with @danawillow, I think we'd rather a more specific, less-encompassing function that just takes a URL (full or partial) for specifically the certs, and always returns the full URL. Something like what we do for disk images, though hopefully more minimal. The reason we think it'd be better to do a more specific version is because our resources tend to have shorthand inputs (like family/image or just image for images) to make the UX more intuitive and easier to work with. I also worry that the regular expression is descriptive, not prescribed, and so it may not be followed for future resources, which would lead to some maintenance headaches. :( So for the time being, I think specific solutions are probably better than generic ones. But thank you for the hard work on this! It definitely lays the groundwork if we want to move in this direction in the future.

tmshn
tmshn commented May 6, 2017
View reviewed changes
builtin/providers/google/resource_compute_target_https_proxy_test.go

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckComputeTargetHttpsProxyDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccComputeTargetHttpsProxy_basic1,
Config: testAccComputeTargetHttpsProxy_basic(resourceName, 0, 0),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally rewrote this TestAccComputeTargetHttpsProxy_update since the old one was insufficient: it used to create a set of resources, then destroy them and recreate a new set of resources -- this is not a test of update!

Sorry for the ugly diff.

@paddycarver paddycarver self-requested a review May 11, 2017 22:30
paddycarver
paddycarver suggested changes May 18, 2017
View reviewed changes
Copy link
Contributor

@paddycarver paddycarver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, I think a simpler approach is warranted here. Also, rather than storing whatever the user enters in state and then translating it on every call, I think it may be a better option to use the StateFunc property on the Elem schema.Schema inside the ssl_certificates field. If you need guidance on doing that, or would rather that I go ahead and do it, I'm happy to take over or offer guidance. :)

Thanks so much for submitting this PR, and all the work that went into it. I think, at the moment, a slightly tweaked design would just be more appropriate.

builtin/providers/google/provider.go Outdated
url string
}

func parseUrl(url string) (resourceInfo, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So after discussing with @danawillow, I think we'd rather a more specific, less-encompassing function that just takes a URL (full or partial) for specifically the certs, and always returns the full URL. Something like what we do for disk images, though hopefully more minimal. The reason we think it'd be better to do a more specific version is because our resources tend to have shorthand inputs (like family/image or just image for images) to make the UX more intuitive and easier to work with. I also worry that the regular expression is descriptive, not prescribed, and so it may not be followed for future resources, which would lead to some maintenance headaches. :( So for the time being, I think specific solutions are probably better than generic ones. But thank you for the hard work on this! It definitely lays the groundwork if we want to move in this direction in the future.

@tmshn
Copy link
Contributor Author

tmshn commented May 20, 2017
edited
Loading

@paddycarver Sorry for the late reply, I was busy last week...

  • About the too "encompassing" parseUrl:
  • About utilizing StateFunc:
    • Ok, I'm happy to do the fix, but want some guidance. Could you please give me ?

@tmshn tmshn force-pushed the google_https_proxy_better_certs_handling branch from c24ec09 to 69b3cc7 Compare May 20, 2017 16:41
@tmshn
Copy link
Contributor Author

tmshn commented Jun 8, 2017

@paddycarver ping

@paddycarver
Copy link
Contributor

Hey @tmshn, my apologies for dropping the ball on this. It looks like hashicorp/terraform-provider-google#210 fixed this, so it should work now. If you continue to have problems, please let us know. And please do accept my sincerest apologies for this going unanswered; we're currently working to make sure this doesn't happen in the future. Thank you for your work and patience!

@tmshn
Copy link
Contributor Author

tmshn commented Aug 14, 2017

@paddycarver I understand the situation, no problem! And happy to hear the issue is fixed, thanks! 👍

@tmshn tmshn deleted the google_https_proxy_better_certs_handling branch August 14, 2017 12:31
@ghost
Copy link

ghost commented Apr 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@paddycarver paddycarver paddycarver requested changes

Assignees
No one assigned
Labels
bug provider/google-cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tmshn @paddycarver @grubernaut